DNSPX is a configurable DNS proxy and resolver designed for local development and cloud environments, featuring request caching, rule-based routing, and AWS service discovery.
DNSPX is thoroughly tested with 334 comprehensive tests covering all major functionality including AWS integration, DNS processing, caching, and error handling scenarios.
AWS service discovery is extensively tested with comprehensive integration tests covering:
- Multi-account credential management and role assumption
- VPC endpoint discovery across all supported AWS services
- Route53 resolver integration and private hosted zones
- Error handling for credential failures, API timeouts, and regional issues
- MFA authentication flows
- Windows SSPI Authentication: Experimental support for Windows proxy authentication. Test thoroughly in your environment.
- High-Volume Production: While tested for functionality and basic performance, validate throughput requirements in your specific setup.
For security considerations and known vulnerabilities, please see SECURITY.md.
Real-time DNS query monitoring with performance metrics and log analysis
Comprehensive DNS cache inspection with TTL tracking
- DNS Proxy: Forwards DNS queries to upstream resolvers (UDP & TCP).
- Configurable Resolvers: Supports standard DNS (UDP/TCP) and DNS-over-HTTPS (DoH) upstream resolvers.
- Flexible Resolver Strategies:
First,Random,Rotate,Fastest(for rules/default). - Caching: In-memory cache for DNS responses to reduce latency and upstream load.
- Configurable TTL (min/max).
- Option to serve stale entries on upstream error.
- Rule-Based Routing: Direct queries based on domain patterns to specific resolvers or actions (Block, Allow, ResolveLocal, Forward).
- Local Hosts Resolution: Serves records from a configurable local hosts mapping.
- AWS Service Discovery:
- Discovers AWS resources (VPC Endpoints, EC2 instances, RDS, ElastiCache, DocumentDB, Private API Gateways) using specified AWS profiles or credentials.
- Automatically creates DNS entries for discovered resources in the internal cache.
- Supports IAM role assumption for cross-account access.
- Handles MFA for AWS authentication.
- Discovers Route 53 Inbound Resolver Endpoints and Private Hosted Zones for enhanced VPC-internal name resolution.
- AWS Profile Management: TUI interface for setting up and testing AWS account configurations.
- Text User Interface (TUI):
- Real-time dashboard showing status, query count, QPS, cache statistics, and listener status.
- Live log viewer with filtering capabilities.
- Interactive DNS cache viewer with options to add/delete synthetic entries.
- AWS Scanner status and detailed error reporting.
- Query Logging: Optional logging of processed DNS queries.
- Status Reporting: Provides detailed application status including configuration validity and AWS scanner activity.
- Secure Auto-Updater:
- GitHub release monitoring with cryptographic signature verification.
- SLSA provenance validation for supply chain security.
- Configurable update intervals and rollback capabilities.
- Breaking change detection and user notification.
- Transactional updates with automatic backup and recovery.
- File-Based Configuration: Single TOML file (
dnspx_config.toml) for all settings. - Legacy JSON Configuration Migration: Supports automatic migration from older JSON-based configuration files.
- Dynamic Configuration Reload: Monitors the configuration file for changes and reloads automatically.
- CLI Options:
--config <path>: Specify a custom configuration file path.--tui: Launch the TUI dashboard.--cli-only: Run in a simple command-line mode without the TUI.
- Rust 1.70 or later.
- AWS CLI configured (recommended for easier AWS profile setup, especially for AWS service discovery features).
git clone https://github.com/marcelwenner/dnspx
cd dnspx
cargo build --release# Start DNS proxy using default config (dnspx_config.toml in current dir or user config)
./target/release/dnspx
# Start DNS proxy with a specific configuration file
./target/release/dnspx --config /path/to/your/config.toml
# Launch TUI monitoring interface
./target/release/dnspx --tui
# Run in simple CLI mode (no TUI dashboard)
./target/release/dnspx --cli-onlyDNSPX is configured using a TOML file, typically named dnspx_config.toml.
If no --config flag is provided, it looks for dnspx_config.toml in the current directory, then in the user's config directory (e.g., ~/.config/dnspx/dnspx_config.toml).
# Server settings
[server]
listen_address = "0.0.0.0:53" # Address and port to listen on
protocols = ["Udp", "Tcp"] # Protocols to listen on (Udp, Tcp)
# network_whitelist = ["192.168.1.0/24", "10.0.0.1"] # Optional: Restrict access
default_query_timeout = "500ms" # Default timeout for DNS queries originating from clients
# Default upstream resolver configuration (used if no rules match)
[default_resolver]
nameservers = ["1.1.1.1:53", "https://cloudflare-dns.com/dns-query"] # Mix of standard DNS and DoH
strategy = "First" # "First", "Random", "Rotate", "Fastest"
timeout = "500ms" # Timeout for upstream queries
# doh_compression_mutation = false # Obscure DoH setting, rarely needed
# DNS cache settings
[cache]
enabled = true
max_capacity = 10000
min_ttl = "1m" # Minimum TTL for cached entries
max_ttl = "1d" # Maximum TTL for cached entries
serve_stale_if_error = true # Serve stale cache if upstream fails
serve_stale_max_ttl = "1h" # Max age of stale entry to serve
# Local hosts definitions
# [local_hosts]
# entries = { "my.local.service" = "192.168.1.100", "another.one" = "10.0.0.5" }
# file_path = "/etc/dnspx_hosts" # Optional: path to a hosts file (not yet fully implemented for file format)
# watch_file = true # Optional: watch file_path for changes (not yet fully implemented)
# Routing rules
# [[routing_rules]]
# name = "Block Ads"
# domain_pattern = "(^|\\.)adservice\\.google\\.com$" # Regex pattern
# action = "Block" # "Forward", "Block", "Allow", "ResolveLocal"
# invert_match = false # Optional: if true, rule applies to non-matching domains
# [[routing_rules]]
# name = "Internal Services via Specific DNS"
# domain_pattern = "\\.corp\\.internal$"
# action = "Forward"
# nameservers = ["10.0.1.1:53", "10.0.1.2:53"]
# strategy = "Rotate"
# timeout = "200ms"
# HTTP Proxy for DoH requests (optional)
# [http_proxy]
# url = "http://proxy.example.com:8080"
# username = "user" # Optional
# password = "password" # Optional
# Automatic Updates (optional)
# [updates]
# enabled = true
# check_interval = "1h" # How often to check for updates
# auto_install = false # Set to true for automatic installation
# backup_count = 3 # Number of backups to keep
# github_repo = "marcelwenner/dnspx" # GitHub repository for releases
# [updates.security]
# verify_signatures = true # Enable cryptographic verification
# verify_slsa_provenance = true # Enable SLSA supply chain verification
# AWS Integration settings (optional)
# [aws]
# default_region = "us-east-1"
# output_file_name = "aws_proxy_bypass.txt" # Optional: File for discovered AWS domains
# scan_interval = "15m" # How often to rescan AWS resources
# credentials_cache_enabled = true
# credential_cache_ttl = "50m"
# [[aws.accounts]]
# label = "dev-account" # User-friendly label for TUI
# profile_name = "my-dev-profile" # AWS CLI profile name
# # account_id = "123456789012" # Optional: For verification
# # scan_vpc_ids = ["vpc-012345abcdef", "vpc-fedcba543210"] # VPCs to scan
# # scan_regions = ["us-east-1", "eu-west-2"] # Regions to scan for this account
# # [aws.accounts.discover_services] # Control which services are discovered
# # vpc_endpoints = true
# # ec2_instances = true
# # rds_instances = true
# # elasticache_clusters = true
# # docdb_clusters = true
# # api_gateways_private = true
# # [[aws.accounts.roles_to_assume]]
# # role_arn = "arn:aws:iam::098765432109:role/AnotherRole"
# # label = "assumed-role-label" # Optional
# Logging configuration
[logging]
level = "info" # "trace", "debug", "info", "warn", "error"
format = "Pretty" # "Pretty", "Json", "Compact"
query_log_enabled = false # If true, logs every DNS query
# CLI/TUI behavior
[cli]
enable_colors = true # Enable/disable colors in CLI/TUI output
status_refresh_interval_secs = 5 # TUI status panel refresh intervalserver.listen_address: IP and port DNSPX listens on (e.g.,0.0.0.0:53).default_resolver.nameservers: List of upstream DNS servers (IP:Port or DoH URLs) used if no specific rule matches.routing_rules: An array of rules. Each rule has:name: A descriptive name.domain_pattern: A regex pattern to match domain names.action: What to do if the pattern matches (Forward,Block,Allow,ResolveLocal).nameservers(forForward): Specific upstreams for this rule.
cache: Configures caching behavior (TTL, capacity).updates: Configures automatic update checking and installation.enabled: Enable/disable update checking.auto_install: Whether to automatically install updates.security: Cryptographic verification settings for supply chain security.
aws: Configures AWS integration for service discovery.accounts: List of AWS accounts to scan, typically referencing AWS CLI profiles.discover_services: Fine-grained control over which AWS service types are discovered.
logging: Controls log level and format.
DNSPX is designed with a modular architecture, loosely following the Ports and Adapters (Hexagonal Architecture) pattern.
- Core Domain (
core/): Contains the business logic, including the DNS request processing pipeline, caching logic (DnsCache), rule engine (RuleEngine), and local hosts resolution (LocalHostsResolver). It defines traits (ports) for external interactions. - Adapters (
adapters/): Implement the ports defined by the core. These handle I/O, external service integrations, and UI.- Server Adapters (
adapters/server/): Handle incoming DNS requests (UDP/TCP listeners). - Resolver Adapters (
adapters/resolver/): Implement upstream DNS resolution (standard DNS, DoH). - AWS Adapters (
adapters/aws/): Manage AWS credentials and VPC/service discovery. - Configuration Adapter (
adapters/config/): Handles loading and saving configuration from/to files. - TUI Adapter (
adapters/tui/): Provides the text-based user interface. - CLI Adapter (
adapters/cli/): Provides the command-line interface. - Status Adapter (
adapters/status/): Manages and reports application status.
- Server Adapters (
- Ports (
ports/): Defines the interfaces (Rust traits) between the core domain and the adapters. This promotes decoupling. - App Lifecycle (
app_lifecycle.rs): Manages the overall application state, startup, shutdown, and coordination between components.
DNSPX listens on the configured port (default 53) for UDP and TCP DNS queries. Requests are processed through a pipeline involving local hosts, caching, rule-based routing, and finally upstream resolution if necessary. AWS discovery runs periodically in the background to update internal DNS records for AWS services.
DNSPX includes an extensive test suite with 334 automated tests ensuring reliability and correctness:
# Run all tests (334 tests covering all functionality)
cargo test
# Run AWS integration tests specifically
cargo test adapters::aws::tests
# Run with linting checks
cargo clippy --all-targets --all-features -- -D warningsTest Coverage:
- Core DNS Processing: Request parsing, caching, rule engine, local hosts resolution
- AWS Integration: 36 comprehensive tests covering multi-account setups, credential handling, service discovery, error scenarios
- Update System: Secure auto-updater with signature verification, SLSA provenance, rollback testing
- Network Layer: UDP/TCP listeners, upstream resolver strategies, DoH support
- Configuration: TOML parsing, validation, hot-reloading
- Error Handling: Network failures, malformed requests, credential issues, API timeouts
./test/dns-proxy-test.sh(Ensure dnspx is running and accessible at 127.0.0.1:53 before running the test script.)
DNSPX supports modular compilation through feature flags for optimized deployments:
# Full build with all features (default)
cargo build --release
# Minimal build without AWS integration and TUI (smallest binary)
cargo build --release --no-default-features --features minimal
# AWS-only build without TUI (for headless servers)
cargo build --release --no-default-features --features aws
# TUI-only build without AWS (for DNS proxy only)
cargo build --release --no-default-features --features tui
# Custom feature combinations
cargo build --release --features aws,tuiAvailable Feature Flags:
aws: AWS service discovery and integrationtui: Terminal user interface and monitoring dashboardminimal: Minimal build without cloud integrations or TUIdefault: Includes bothawsandtuifeatures
- Local Development: Run directly using
cargo runor the compiled binary. Ideal for local development setups needing custom DNS resolution. - Docker Deployment: (Dockerfile not yet provided) DNSPX can be containerized for deployment.
- Cloud Deployment (AWS/Azure/GCP): Can be deployed on a VM or container service in cloud environments. For AWS, it can leverage IAM roles for service discovery.
Performance results are based on the included dns-proxy-test.sh script. These represent functional DNS proxy performance with standard caching benefits.
- DNS Proxy:
127.0.0.1:53(running locally) - Fallback DNS for comparison:
1.1.1.1 - Test domains: 8 popular websites, plus others for specific tests.
- Machine: (Specify your test machine: e.g., Core i7, 16GB RAM, Linux)
| Metric | Value | Notes |
|---|---|---|
| Avg. Response Time | ~26.69ms | With caching enabled (for repeated queries) |
| Cache Hit Improvement | ~20% faster | Second query vs. first for same domain |
| Concurrent Throughput | ~250 queries/sec | Peak under burst load (10 concurrent) |
| Sustained Throughput | ~31.74 queries/sec | Under continuous load (20 queries) |
| Success Rate | 100% | All test queries resolved correctly |
| Proxy Overhead (vs 1.1.1.1) | ~20% | For uncached queries, typical proxy layer |
- Cache Miss (first query to a new domain): ~33ms (example value)
- Cache Hit (subsequent query to same domain): ~26ms (example value)
- Improvement: Standard ~20% reduction in response time due to caching.
Note: These are example values derived from the test script's calculations and prompt guidance. Actual performance may vary based on network conditions, upstream resolver speed, and hardware.
- Enhanced rule conditions: Client IP filtering via
network_whitelistconfiguration and specific record types support (A, AAAA, etc.). - Robust AWS service discovery: Comprehensive multi-account support, credential management, service discovery across VPC endpoints, EC2, RDS, ElastiCache, DocumentDB, Route53 resolvers, and private hosted zones.
- Secure update system: Cryptographic signature verification, SLSA provenance validation, transactional updates with rollback capabilities.
- Build feature flags: Modular compilation with
aws,tui, andminimalfeature flags for optimized deployments.
- Azure integration: Service discovery for Azure VNets, App Services, and Azure DNS Private Zones.
- Google Cloud Platform (GCP) integration: VPC discovery, Cloud DNS, and Compute Engine integration.
- Support for DoT (DNS-over-TLS) upstream resolvers.
- Persistent cache option (e.g., SQLite, Redis).
- Enhanced update system with differential updates and A/B testing.
- Integration with more package managers and distribution channels.
- Advanced rule conditions with time-based and geolocation filters.
- Enhanced monitoring with Prometheus metrics export.
Contributions are welcome! Please feel free to:
- Submit a Pull Request with your proposed changes.
- Open an Issue to report bugs, suggest features, or ask questions.
- Participate in Discussions.
Please follow standard GitHub Fork & Pull Request workflows. Ensure your code:
- Is formatted with
rustfmt - Passes all 334 tests with
cargo test - Passes linting with
cargo clippy --all-targets --all-features -- -D warnings - Includes appropriate test coverage for new functionality